Firms Lack Malware Analysis, Incident Response Expertise: Study

Targeted attacks that use custom malware and other techniques to dupe traditional security software such as antivirus can be detected with advanced threat detection technologies, but most firms lack the skilled security expertise to follow up with analysis and incident response when a threat is detected.

The study, a blind survey of 200 malware analysts at U.S.-based enterprises conducted in October by independent market research firm Opinion Matters on behalf of ThreatTrack Security, found that there's a lack of highly skilled security pros capable of dealing with advanced threats and automated malware analysis necessary to thoroughly respond and contain threats.

About 40 percent of those surveyed indicated that businesses lack highly skilled personnel to combat cyberattacks effectively. Another 35 percent said automated tools to address the growing threat of custom malware is lacking in most IT departments. The survey shines a light on a new breed of advanced threat detection capabilities, mainly sandboxing technology used to examine suspicious file behavior and detect previously unknown malware strains.

Solution providers said the focus on cyberespionage attacks and increasing sophistication of malware has put emphasis on detection technologies after an infection has already taken place. Most business executives realize that malware could already be lying dormant on their systems, said Jared Tobiasen, business development manager at Marlborough, Mass.-based Arrow Electronics.

"It's been a manic industry lately with a lot of talk about advanced persistent threats," Tobiasen told CRN in a recent interview. "For some solution providers, getting a feel for truly understanding the threats and how to combat them can be extremely difficult out the gate."

Joseph Cordaro, a senior security architect at Dallas-based security firm Critical Start, said he's seen a rising interest in RSA's eCAT product, designed to inspect running processes and drivers in Windows-based systems to identify behavior related to advanced malware. RSA has been working on training partners to provide expertise to business clients that may not have large IT teams capable of dealing with threats and day-to-day issues all at once, Cordaro said.

"They're seeking technology and expertise and it's not always doable at the same time," Cordaro said in a recent interview. "You find that you've given yourself a lot more work when you find out what's already inside your network."

The ThreatTrack survey found that most attacks are being carried out in phishing email campaigns, with end users consistently clicking on malicious links in messages. Infected USB sticks also spread malware, and third-party applications, riddled with vulnerabilities, make it easier for attackers to gain an initial foothold into systems, survey respondents said.

The volume and complexity of malware threats tie up IT teams and cause expenses to increase rapidly, the survey found. Only 4 percent of malware analysts said they can analyze a sample in under an hour. In fact, more than 80 percent said it takes between one and five hours to conduct thorough analysis of a malware sample.